[tor-dev] Support for full DNS resolution and DNSSEC validation
David Goulet
dgoulet at torproject.org
Thu May 14 19:56:54 UTC 2020
On 26 Apr (19:37:56), Christian Hofer wrote:
> Hi there,
Greetings Christian!
>
> I have a proposal regarding DNS name resolution.
>
> Ticket: https://trac.torproject.org/projects/tor/ticket/34004
> Proposal:
> https://trac.torproject.org/projects/tor/attachment/ticket/34004/317-secure-dns-name-resolution.txt
> Implementation: https://github.com/torproject/tor/pull/1869
First, this is quite impressive piece of work. I was _NOT_ expecting a 27k
line diff ;).
So the proposal looks very good. I like the idea very much. I honestly thought
that you were about to propose a way for Tor to talk to an *external* DNS
resolver client application (third part) but I see that client DNSSEC is
basically implemented in tor with your patch which is... interesting?
Before we go further, can you walk me through the reasons (if you had thought
of it of course) why you didn't use something like libunbound?
There are side effects of adding DNSSEC client support (with our own
implementation) that we, people maintaining tor, have to become DNSSEC expert
in some ways just to be able to understand what is happening in that code, fix
issues but also possibly implement new features if any. That is where a third
part library like unbound becomes very nice because they are the experts at
providing such features.
Of course, everytime we have to link to an external library we do it carefully
and with considerations because of the "yet another attack" vector problem.
But adding that much code to support a well known feature like DNSSEC also has
huge implications for tor maintainability and security.
Finally, something I noticed and made me itch a bit. You hardcoded a lot of
.onions where one appears to be Cloudflare (?) resolver. What are the other
addresses? I worry here because default options are always the one used the
most so I'm concerned here about shipping hardcoded addresses _within_ our C
code.
Thanks!
David
--
dApigzB8NtOQEAlKqhqbshxjxOMakjiX9LGU9wvhFqs=
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20200514/cc99a582/attachment.sig>
More information about the tor-dev
mailing list